用系统未公开的几个api可以做到了const
SHCNE_RENAMEITEM = $1;
SHCNE_CREATE = $2;
SHCNE_DELETE = $4;
SHCNE_MKDIR = $8;
SHCNE_RMDIR = $10;
SHCNE_MEDIAINSERTED = $20;
SHCNE_MEDIAREMOVED = $40;
SHCNE_DRIVEREMOVED = $80;
SHCNE_DRIVEADD = $100;
SHCNE_NETSHARE = $200;
SHCNE_NETUNSHARE = $400;
SHCNE_ATTRIBUTES = $800;
SHCNE_UPDATEDIR = $1000;
SHCNE_UPDATEITEM = $2000;
SHCNE_SERVERDISCONNECT = $4000;
SHCNE_UPDATEIMAGE = $8000;
SHCNE_DRIVEADDGUI = $10000;
SHCNE_RENAMEFOLDER = $20000;
SHCNE_FREESPACE = $40000;
SHCNE_ASSOCCHANGED = $8000000;
SHCNE_DISKEVENTS = $2381F;
SHCNE_GLOBALEVENTS = $C0581E0;
SHCNE_ALLEVENTS = $7FFFFFFF;
SHCNE_INTERRUPT = $80000000; SHCNF_IDLIST = 0;
SHCNF_PATHA = $1;
SHCNF_PRINTERA = $2;
SHCNF_DWORD = $3;
SHCNF_PATHW = $5;
SHCNF_PRINTERW = $6;
SHCNF_TYPE = $FF; SHCNF_FLUSH = $1000; SHCNF_FLUSHNOWAIT = $2000;
SHCNF_PATH = SHCNF_PATHW;
SHCNF_PRINTER = SHCNF_PRINTERW; WM_SHNOTIFY = $401;
NOERROR = 0;type PSHNotifyStruct=^TSHNotifyStruct;
TSHNotifyStruct= record
dwItem1: PItemIDList;
dwItem2: PItemIDList;
end; PSHFileInfoByte=^TSHFileInfoByte;
_SHFILEINFOBYTE= record
hIcon: Integer;
iIcon: Integer;
dwAttributes: Integer;
szDisplayName: array [0..259] of Char;
szTypeName: array [0..79] of Char;
end;
TSHFileInfoByte=_SHFILEINFOBYTE; PIDLStruct=^TIDLStruct;
_IDLSTRUCT=record
pidl : PItemIDList;
bWatchSubFolders : Integer;
end;
TIDLStruct=_IDLSTRUCT;{Form class}
TInspector = class(TForm)
MemoInfo: TMemo;
sbNotify: TSpeedButton;
sbClear: TSpeedButton;
sbSave: TSpeedButton;
procedure FormClose(Sender: TObject; var Action: TCloseAction);
procedure sbNotifyClick(Sender: TObject);
procedure sbClearClick(Sender: TObject);
procedure sbSaveClick(Sender: TObject);
procedure FormKeyPress(Sender: TObject; var Key: Char);
private
procedure WMnotify(var m:TMessage);message WM_SHNOTIFY;
end;function SHChangeNotifyRegister(hWnd, uFlags, dwEventID, uMSG, cItems: LongWord;
lpps: PIDLStruct):integer; stdcaLL;
externaL 'Shell32.dll' index 2;function SHChangeNotifyDeregister(hNotify:integer):integer; stdcaLL;
externaL 'Shell32.dll' index 4;function SHGetFileInfoPidl(pidl: PItemIDList;
dwFileAttributes: integer;
psfib: PSHFileInfoByte;
cbFileInfo: integer;
uFlags: integer):integer; stdcaLL;
externaL 'Shell32.dll' name 'SHGetFileInfoA';function shnRegister(hWnd:integer):Boolean;
function shnUnRegister:Boolean;
function shEventName(Path1,Path2:string; lParam:integer):string;var
Inspector: TInspector;
inotify: integer;
IDLDesktop: PItemIDList;implementation{$R *.DFM}function shnRegister(hWnd:integer):Boolean;
var
ps:PIDLStruct;
begin
{$R-}
Result:=false;
if inotify=0 then
begin
if SHGetSpecialFolderLocation(0,
CSIDL_DESKTOP,
IDLDesktop)<>NOERROR then exit;
if Boolean(IDLDesktop) then begin
GetMem(ps,SizeOf(ps));
ps.pidl:= IDLDesktop;
ps.bWatchSubFolders:= 1;
inotify:=SHChangeNotifyRegister(hWnd,
(SHCNF_TYPE or SHCNF_IDLIST),
(SHCNE_ALLEVENTS or SHCNE_INTERRUPT),
WM_SHNOTIFY, 1, ps);
Result:=Boolean(inotify);
end;
end;
{$R+}
end;function shnUnRegister:Boolean;
begin
Result:=false;
if Boolean(inotify) then
if Boolean(SHChangeNotifyDeregister(inotify)) then
begin
{$R-}
inotify:=0;
Result:= true;
{$R+}
end;
end;function shEventName(Path1,Path2:string; lParam:integer):string;
begin
Result:='未知操作, 操作代码: #'+IntToStr(lParam);
case lParam of
SHCNE_RENAMEITEM: Result:='更名文件: '+Path1+', '+Path2;
SHCNE_CREATE: Result:='建立文件: '+Path1;
SHCNE_DELETE: Result:='删除文件: '+Path1;
SHCNE_MKDIR: Result:='新建目录: '+Path1;
SHCNE_RMDIR: Result:='删除目录: '+Path1;
SHCNE_MEDIAINSERTED: Result:='插入可移动存储介质: '+Path1;
SHCNE_MEDIAREMOVED: Result:='移去可移动存储介质: '+Path1;
SHCNE_DRIVEREMOVED: Result:='移去驱动器: '+Path1;
SHCNE_DRIVEADD: Result:='添加驱动器: '+Path1;
SHCNE_NETSHARE: Result:='改变目录共享属性: '+Path1;
SHCNE_ATTRIBUTES: Result:='改变文件目录属性: '+Path1;
SHCNE_UPDATEDIR: Result:='更新目录: '+Path1;
SHCNE_UPDATEITEM: Result:='更新文件: '+Path1;
SHCNE_SERVERDISCONNECT: Result:='断开与服务器的连接: '+Path1+', '+Path2;
SHCNE_UPDATEIMAGE: Result:='更新文件管理印象: '+Path1;
SHCNE_DRIVEADDGUI: Result:='驱动添加GUI接口: '+Path1;
SHCNE_RENAMEFOLDER: Result:='重命名文件夹: '+Path1+', '+Path2;
SHCNE_FREESPACE: Result:='改变磁盘空间大小: '+Path1;
SHCNE_ASSOCCHANGED: Result:='改变文件关联方式: '+Path1;
end;
end;procedure TInspector.WMnotify(var m:TMessage);
var
Path1,Path2: string;
PathChar: array [0..259] of Char;
pidlItem: PSHNotifyStruct;
begin
pidlItem:=PSHNotifyStruct(m.WParam);
SHGetPathFromIDList(pidlItem.dwItem1, PathChar);
Path1:=PathChar;
SHGetPathFromIDList(pidlItem.dwItem2, PathChar);
Path2:=PathChar;
MemoInfo.Lines.Add(shEventName(Path1,Path2,m.LParam));
end;procedure TInspector.sbNotifyClick(Sender: TObject);
begin
if sbNotify.Down then
begin
Caption:=Application.Title+' - 运行中';
if MemoInfo.Lines[0]='' then sbClear.Click;
if shnRegister(self.Handle) then MemoInfo.Lines.Add('监测程序注册成功')
else MemoInfo.Lines.Add('监测程序注册失败, 请重新注册');
end
else
begin
Caption:=Application.Title+' - 已停止';
if shnUnRegister then MemoInfo.Lines.Add('撤消监测程序成功')
else MemoInfo.Lines.Add('撤消监测程序失败');
MemoInfo.Lines.Add('');
end;
end;
SHCNE_RENAMEITEM = $1;
SHCNE_CREATE = $2;
SHCNE_DELETE = $4;
SHCNE_MKDIR = $8;
SHCNE_RMDIR = $10;
SHCNE_MEDIAINSERTED = $20;
SHCNE_MEDIAREMOVED = $40;
SHCNE_DRIVEREMOVED = $80;
SHCNE_DRIVEADD = $100;
SHCNE_NETSHARE = $200;
SHCNE_NETUNSHARE = $400;
SHCNE_ATTRIBUTES = $800;
SHCNE_UPDATEDIR = $1000;
SHCNE_UPDATEITEM = $2000;
SHCNE_SERVERDISCONNECT = $4000;
SHCNE_UPDATEIMAGE = $8000;
SHCNE_DRIVEADDGUI = $10000;
SHCNE_RENAMEFOLDER = $20000;
SHCNE_FREESPACE = $40000;
SHCNE_ASSOCCHANGED = $8000000;
SHCNE_DISKEVENTS = $2381F;
SHCNE_GLOBALEVENTS = $C0581E0;
SHCNE_ALLEVENTS = $7FFFFFFF;
SHCNE_INTERRUPT = $80000000; SHCNF_IDLIST = 0;
SHCNF_PATHA = $1;
SHCNF_PRINTERA = $2;
SHCNF_DWORD = $3;
SHCNF_PATHW = $5;
SHCNF_PRINTERW = $6;
SHCNF_TYPE = $FF; SHCNF_FLUSH = $1000; SHCNF_FLUSHNOWAIT = $2000;
SHCNF_PATH = SHCNF_PATHW;
SHCNF_PRINTER = SHCNF_PRINTERW; WM_SHNOTIFY = $401;
NOERROR = 0;type PSHNotifyStruct=^TSHNotifyStruct;
TSHNotifyStruct= record
dwItem1: PItemIDList;
dwItem2: PItemIDList;
end; PSHFileInfoByte=^TSHFileInfoByte;
_SHFILEINFOBYTE= record
hIcon: Integer;
iIcon: Integer;
dwAttributes: Integer;
szDisplayName: array [0..259] of Char;
szTypeName: array [0..79] of Char;
end;
TSHFileInfoByte=_SHFILEINFOBYTE; PIDLStruct=^TIDLStruct;
_IDLSTRUCT=record
pidl : PItemIDList;
bWatchSubFolders : Integer;
end;
TIDLStruct=_IDLSTRUCT;{Form class}
TInspector = class(TForm)
MemoInfo: TMemo;
sbNotify: TSpeedButton;
sbClear: TSpeedButton;
sbSave: TSpeedButton;
procedure FormClose(Sender: TObject; var Action: TCloseAction);
procedure sbNotifyClick(Sender: TObject);
procedure sbClearClick(Sender: TObject);
procedure sbSaveClick(Sender: TObject);
procedure FormKeyPress(Sender: TObject; var Key: Char);
private
procedure WMnotify(var m:TMessage);message WM_SHNOTIFY;
end;function SHChangeNotifyRegister(hWnd, uFlags, dwEventID, uMSG, cItems: LongWord;
lpps: PIDLStruct):integer; stdcaLL;
externaL 'Shell32.dll' index 2;function SHChangeNotifyDeregister(hNotify:integer):integer; stdcaLL;
externaL 'Shell32.dll' index 4;function SHGetFileInfoPidl(pidl: PItemIDList;
dwFileAttributes: integer;
psfib: PSHFileInfoByte;
cbFileInfo: integer;
uFlags: integer):integer; stdcaLL;
externaL 'Shell32.dll' name 'SHGetFileInfoA';function shnRegister(hWnd:integer):Boolean;
function shnUnRegister:Boolean;
function shEventName(Path1,Path2:string; lParam:integer):string;var
Inspector: TInspector;
inotify: integer;
IDLDesktop: PItemIDList;implementation{$R *.DFM}function shnRegister(hWnd:integer):Boolean;
var
ps:PIDLStruct;
begin
{$R-}
Result:=false;
if inotify=0 then
begin
if SHGetSpecialFolderLocation(0,
CSIDL_DESKTOP,
IDLDesktop)<>NOERROR then exit;
if Boolean(IDLDesktop) then begin
GetMem(ps,SizeOf(ps));
ps.pidl:= IDLDesktop;
ps.bWatchSubFolders:= 1;
inotify:=SHChangeNotifyRegister(hWnd,
(SHCNF_TYPE or SHCNF_IDLIST),
(SHCNE_ALLEVENTS or SHCNE_INTERRUPT),
WM_SHNOTIFY, 1, ps);
Result:=Boolean(inotify);
end;
end;
{$R+}
end;function shnUnRegister:Boolean;
begin
Result:=false;
if Boolean(inotify) then
if Boolean(SHChangeNotifyDeregister(inotify)) then
begin
{$R-}
inotify:=0;
Result:= true;
{$R+}
end;
end;function shEventName(Path1,Path2:string; lParam:integer):string;
begin
Result:='未知操作, 操作代码: #'+IntToStr(lParam);
case lParam of
SHCNE_RENAMEITEM: Result:='更名文件: '+Path1+', '+Path2;
SHCNE_CREATE: Result:='建立文件: '+Path1;
SHCNE_DELETE: Result:='删除文件: '+Path1;
SHCNE_MKDIR: Result:='新建目录: '+Path1;
SHCNE_RMDIR: Result:='删除目录: '+Path1;
SHCNE_MEDIAINSERTED: Result:='插入可移动存储介质: '+Path1;
SHCNE_MEDIAREMOVED: Result:='移去可移动存储介质: '+Path1;
SHCNE_DRIVEREMOVED: Result:='移去驱动器: '+Path1;
SHCNE_DRIVEADD: Result:='添加驱动器: '+Path1;
SHCNE_NETSHARE: Result:='改变目录共享属性: '+Path1;
SHCNE_ATTRIBUTES: Result:='改变文件目录属性: '+Path1;
SHCNE_UPDATEDIR: Result:='更新目录: '+Path1;
SHCNE_UPDATEITEM: Result:='更新文件: '+Path1;
SHCNE_SERVERDISCONNECT: Result:='断开与服务器的连接: '+Path1+', '+Path2;
SHCNE_UPDATEIMAGE: Result:='更新文件管理印象: '+Path1;
SHCNE_DRIVEADDGUI: Result:='驱动添加GUI接口: '+Path1;
SHCNE_RENAMEFOLDER: Result:='重命名文件夹: '+Path1+', '+Path2;
SHCNE_FREESPACE: Result:='改变磁盘空间大小: '+Path1;
SHCNE_ASSOCCHANGED: Result:='改变文件关联方式: '+Path1;
end;
end;procedure TInspector.WMnotify(var m:TMessage);
var
Path1,Path2: string;
PathChar: array [0..259] of Char;
pidlItem: PSHNotifyStruct;
begin
pidlItem:=PSHNotifyStruct(m.WParam);
SHGetPathFromIDList(pidlItem.dwItem1, PathChar);
Path1:=PathChar;
SHGetPathFromIDList(pidlItem.dwItem2, PathChar);
Path2:=PathChar;
MemoInfo.Lines.Add(shEventName(Path1,Path2,m.LParam));
end;procedure TInspector.sbNotifyClick(Sender: TObject);
begin
if sbNotify.Down then
begin
Caption:=Application.Title+' - 运行中';
if MemoInfo.Lines[0]='' then sbClear.Click;
if shnRegister(self.Handle) then MemoInfo.Lines.Add('监测程序注册成功')
else MemoInfo.Lines.Add('监测程序注册失败, 请重新注册');
end
else
begin
Caption:=Application.Title+' - 已停止';
if shnUnRegister then MemoInfo.Lines.Add('撤消监测程序成功')
else MemoInfo.Lines.Add('撤消监测程序失败');
MemoInfo.Lines.Add('');
end;
end;
1、PItemIDList这个包含在哪个单元里?
2、SHGetSpecialFolderLocation这个函数没有定义呀,还是在另外哪个单元中?
3、CSIDL_DESKTOP 这个常量没有定义!
4、SHGetPathFromIDList这个函数也没定义呀!
是不是要用到其它的怎么单元,不知是否DELPHI中自带的!
2.同上
3.同上
4.同上
中的定义如下:
Function SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord;
lpps:PIDLSTRUCT):integer;stdcall;external 'Shell32.dll' index 2;
其中参数hWnd定义了监视系统操作的窗口得句柄,参数uFlags dwEventID定义监视操作参数,参数uMsg定义操作消息,参数cItems
定义附加参数,参数lpps指定一个PIDLSTRUCT结构,该结构指定监视的目录。
当函数调用成功之后,函数会返回一个监视操作句柄,同时系统就会将hWnd指定的窗口加入到操作监视链中,当有文件操作发生
时,系统会向hWnd发送uMsg指定的消息,我们只要在程序中加入该消息的处理函数就可以实现对系统操作的监视了。
如果要退出程序监视,就要调用另外一个未公开得函数SHChangeNotifyDeregister来取消程序监视。
下面是使用Delphi编写的具体程序实现范例,首先建立一个新的工程文件,然后在Form1中加入一个Button控件和一个Memo控件,
程序的代码如下:unit Unit1;interfaceuses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls,shlobj,Activex;const
SHCNE_RENAMEITEM = $1;
SHCNE_CREATE = $2;
SHCNE_DELETE = $4;
SHCNE_MKDIR = $8;
SHCNE_RMDIR = $10;
SHCNE_MEDIAINSERTED = $20;
SHCNE_MEDIAREMOVED = $40;
SHCNE_DRIVEREMOVED = $80;
SHCNE_DRIVEADD = $100;
SHCNE_NETSHARE = $200;
SHCNE_NETUNSHARE = $400;
SHCNE_ATTRIBUTES = $800;
SHCNE_UPDATEDIR = $1000;
SHCNE_UPDATEITEM = $2000;
SHCNE_SERVERDISCONNECT = $4000;
SHCNE_UPDATEIMAGE = $8000;
SHCNE_DRIVEADDGUI = $10000;
SHCNE_RENAMEFOLDER = $20000;
SHCNE_FREESPACE = $40000;
SHCNE_ASSOCCHANGED = $8000000;
SHCNE_DISKEVENTS = $2381F;
SHCNE_GLOBALEVENTS = $C0581E0;
SHCNE_ALLEVENTS = $7FFFFFFF;
SHCNE_INTERRUPT = $80000000; SHCNF_IDLIST = 0; // LPITEMIDLIST
SHCNF_PATHA = $1; // path name
SHCNF_PRINTERA = $2; // printer friendly name
SHCNF_DWORD = $3; // DWORD
SHCNF_PATHW = $5; // path name
SHCNF_PRINTERW = $6; // printer friendly name
SHCNF_TYPE = $FF; SHCNF_FLUSH = $1000; SHCNF_FLUSHNOWAIT = $2000;
SHCNF_PATH = SHCNF_PATHW;
SHCNF_PRINTER = SHCNF_PRINTERW; WM_SHNOTIFY = $401;
NOERROR = 0;type
TForm1 = class(TForm)
Button1: TButton;
Memo1: TMemo;
procedure FormClose(Sender: TObject; var Action: TCloseAction);
procedure Button1Click(Sender: TObject);
procedure FormCreate(Sender: TObject);
private
{ Private declarations }
procedure WMShellReg(var Message:TMessage);message WM_SHNOTIFY;
public
{ Public declarations }
end;type PSHNOTIFYSTRUCT=^SHNOTIFYSTRUCT;
SHNOTIFYSTRUCT = record
dwItem1 : PItemIDList;
dwItem2 : PItemIDList;
end;Type PSHFileInfoByte=^SHFileInfoByte;
_SHFileInfoByte = record
hIcon :Integer;
iIcon :Integer;
dwAttributes : Integer;
szDisplayName : array [0..259] of char;
szTypeName : array [0..79] of char;
end;
SHFileInfoByte=_SHFileInfoByte;Type PIDLSTRUCT = ^IDLSTRUCT;
_IDLSTRUCT = record
pidl : PItemIDList;
bWatchSubFolders : Integer;
end;
IDLSTRUCT =_IDLSTRUCT;
function SHNotify_Register(hWnd : Integer) : Bool;
function SHNotify_UnRegister:Bool;
function SHEventName(strPath1,strPath2:string;lParam:Integer):string;Function SHChangeNotifyDeregister(hNotify:integer):integer;stdcall;
external 'Shell32.dll' index 4;
Function SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord;
lpps:PIDLSTRUCT):integer;stdcall;external 'Shell32.dll' index 2;
Function SHGetFileInfoPidl(pidl : PItemIDList;
dwFileAttributes : Integer;
psfib : PSHFILEINFOBYTE;
cbFileInfo : Integer;
uFlags : Integer):Integer;stdcall;
external 'Shell32.dll' name 'SHGetFileInfoA';var
Form1: TForm1;
m_hSHNotify:Integer;
m_pidlDesktop : PItemIDList;implementation{$R *.DFM}function SHEventName(strPath1,strPath2:string;lParam:Integer):string;
var
sEvent:String;
begin
case lParam of file://根据参数设置提示消息
SHCNE_RENAMEITEM: sEvent := '重命名文件'+strPath1+'为'+strpath2;
SHCNE_CREATE: sEvent := '建立文件 文件名:'+strPath1;
SHCNE_DELETE: sEvent := '删除文件 文件名:'+strPath1;
SHCNE_MKDIR: sEvent := '新建目录 目录名:'+strPath1;
SHCNE_RMDIR: sEvent := '删除目录 目录名:'+strPath1;
SHCNE_MEDIAINSERTED: sEvent := strPath1+'中插入可移动存储介质';
SHCNE_MEDIAREMOVED: sEvent := strPath1+'中移去可移动存储介质'+strPath1+' '+strpath2;
SHCNE_DRIVEREMOVED: sEvent := '移去驱动器'+strPath1;
SHCNE_DRIVEADD: sEvent := '添加驱动器'+strPath1;
SHCNE_NETSHARE: sEvent := '改变目录'+strPath1+'的共享属性'; SHCNE_ATTRIBUTES: sEvent := '改变文件目录属性 文件名'+strPath1;
SHCNE_UPDATEDIR: sEvent := '更新目录'+strPath1;
SHCNE_UPDATEITEM: sEvent := '更新文件 文件名:'+strPath1;
SHCNE_SERVERDISCONNECT: sEvent := '断开与服务器的连接'+strPath1+' '+strpath2;
SHCNE_UPDATEIMAGE: sEvent := 'SHCNE_UPDATEIMAGE';
SHCNE_DRIVEADDGUI: sEvent := 'SHCNE_DRIVEADDGUI';
SHCNE_RENAMEFOLDER: sEvent := '重命名文件夹'+strPath1+'为'+strpath2;
SHCNE_FREESPACE: sEvent := '磁盘空间大小改变';
SHCNE_ASSOCCHANGED: sEvent := '改变文件关联';
else
sEvent:='未知操作'+IntToStr(lParam);
end;
Result:=sEvent;
end;function SHNotify_Register(hWnd : Integer) : Bool;
var
ps:PIDLSTRUCT;
begin
{$R-}
Result:=False;
If m_hSHNotify = 0 then begin
file://获取桌面文件夹的Pidl
if SHGetSpecialFolderLocation(0, CSIDL_DESKTOP,
m_pidlDesktop)<> NOERROR then
Form1.close;
if Boolean(m_pidlDesktop) then begin
ps.bWatchSubFolders := 1;
ps.pidl := m_pidlDesktop; // 利用SHChangeNotifyRegister函数注册系统消息处理
m_hSHNotify := SHChangeNotifyRegister(hWnd, (SHCNF_TYPE Or SHCNF_IDLIST),
(SHCNE_ALLEVENTS Or SHCNE_INTERRUPT),
WM_SHNOTIFY, 1, ps);
Result := Boolean(m_hSHNotify);
end
Else
// 如果出现错误就使用 CoTaskMemFree函数来释放句柄
CoTaskMemFree(m_pidlDesktop);
End;
{$R+}
end;function SHNotify_UnRegister:Bool;
begin
Result:=False;
If Boolean(m_hSHNotify) Then
file://取消系统消息监视,同时释放桌面的Pidl
If Boolean(SHChangeNotifyDeregister(m_hSHNotify)) Then begin
{$R-}
m_hSHNotify := 0;
CoTaskMemFree(m_pidlDesktop);
Result := True;
{$R-}
End;
end;procedure TForm1.WMShellReg(var Message:TMessage); file://系统消息处理函数
var
strPath1,strPath2:String;
charPath:array[0..259]of char;
pidlItem:PSHNOTIFYSTRUCT;
begin
pidlItem:=PSHNOTIFYSTRUCT(Message.wParam);
file://获得系统消息相关得路径
SHGetPathFromIDList(pidlItem.dwItem1,charPath);
strPath1:=charPath;
SHGetPathFromIDList(pidlItem.dwItem2,charPath);
strPath2:=charPath; Memo1.Lines.Add(SHEvEntName(strPath1,strPath2,Message.lParam)+chr(13)+chr(10));
end;procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);
begin
file://在程序退出的同时删除监视
if Boolean(m_pidlDesktop) then
SHNotify_Unregister;
end;procedure TForm1.Button1Click(Sender: TObject); file://Button1的Click消息
begin
m_hSHNotify:=0;
if SHNotify_Register(Form1.Handle) then begin file://注册Shell监视
ShowMessage('Shell监视程序成功注册');
Button1.Enabled := False;
end
else
ShowMessage('Shell监视程序注册失败');
end;procedure TForm1.FormCreate(Sender: TObject);
begin
Button1.Caption := '打开监视';
end;end. 运行程序,点击“打开监视”按钮,如果出现一个显示“Shell监视程序成功注册”的对话框,说明Form1已经加入到系统操作监视链中了,
你可以试着在资源管理器中建立、删除文件夹,移动文件等操作,你可以发现这些操作都被纪录下来并显示在文
procedure TForm1.WMShellReg(var Message:TMessage); file://系统消息处理函数
var
strPath1,strPath2:String;
charPath:array[0..259]of char;
pidlItem:PSHNOTIFYSTRUCT;
begin
pidlItem:=PSHNOTIFYSTRUCT(Message.wParam);
file://获得系统消息相关得路径
SHGetPathFromIDList(pidlItem.dwItem1,charPath);
strPath1:=charPath;
SHGetPathFromIDList(pidlItem.dwItem2,charPath);
strPath2:=charPath; Memo1.Lines.Add(SHEvEntName(strPath1,strPath2,Message.lParam)+chr(13)+chr(10));
end;
strPath1, strPath2分别是源以及目标路径
你有否发现,使用SHChangeNotifyRegister时当用户进行文件操作数比较多时(大于6个),它给我发回来的消息中只有4至5个,还有些去哪了?是程序处理时太慢漏了吗?
大家看看这个:
实时反病毒的关键技术-FileHooking 应用程序通过使用动态加载的VxD,间接获得了对Windows9x系统的控制权,但要实现对系统中所有文件I/O操作的实时监视,还要用到另一种关键技术-FileHooking,通过挂接一个处理函数,截获所有与文件I/O操作有关的系统调用。Windows9x使用32位保护模式可安装文件系统(IFS),由可安装文件系统管理器(IFSManager)协调对文件系统和设备的访问,它接收以Win32API函数调用形式向系统发出的文件I/O请求,再将请求转给文件系统驱动程序FSD,由它调用低级别的IOS系统实现最终访问。每个文件I/OAPI调用都有一个特定的FSD函数与之对应,IFSManager负责完成由API到FSD的参数装配工作,在完成文件I/OAPI函数参数的装配之后转相应FSD执行之前,它会调用一个称为FileSystemApiHookFunction的Hooker函数。通过安装自己的Hooker函数,就可以截获系统内所有对文件I/O的API调用,并适时对相关文件进行病毒检查,从而实现实时监控。 上述过程由用户VxD调用系统VxDIFSMgr提供的服务完成,该VxD提供了丰富的底层文件操作功能:IFSMgr_InstallSyatemApiHook函数用来安装FileSystemApiHookFunction,IFSMgr_RemoveSystemApiHook用来卸除Hooker,IFSMgr_Ring0_FileIO用来对文件和磁盘扇区进行读写访问等等。当由IFSManager转入SystemApiHookFunction时,带有6个参数:FileSystemApiHookFunction(
pIFSFuncFSDFnAddr,
//对应FSD服务函数地址
intFunctionNum,
//与API对应的FSD服务功能号(详见下面)
intDrive,
//驱动器代号(1=A,2=B,3=C...)
intResourceFlags,
//资源标志(详见下面)
intCodePage,
//代码页(0=ANSI,1=OEM)
pioreqpir
//指向IOREQ结构的指针
) 参数中比较重要的是FSD功能号、驱动器号和IOREQ结构指针3项。如需截获某个文件I/OAPI调用,只需在Hooker中对相应FSD功能号进行处理 系统中可挂接多个Hooker,形成一条链。IFSMgr_InstallFileSystemApiHook安装Hooker成功时返回前一个Hooker地址,每个Hooker在做特定处理后总应调用前一个Hooker,最后安装的Hooker最先被调用。在VxD中调用其他VxD服务采用INT20h指令后跟一个双字的特殊格式,其中高字为被调用VxD的ID号(系统VxD的ID固定),低字为该VxD之服务号,这一形式称为VxDcall,如:int20h
dd00400043h
;VxDCallIFSMgr_InstallSystemApiHook
int20h
dd00400044h
;VxDCallIFSMgr_RemoveSystemApiHook r>
int20h
dd00400043h
;VxDCallIFSMgr_InstallSystemApiHook
int20h
dd00400044h
;VxDCallIFSMgr_RemoveSystemApiHook emApiHook ok 哪位有用过filehook?指点一二呀!!!!!!!!